b'                                                      IG-01-022\n\n\n\n\nAUDIT\n                           INFORMATION TECHNOLOGY SECURITY\nREPORT                                PLANNING\n\n                                     March 30, 2001\n\n\n\n\n                              OFFICE OF INSPECTOR\n                                   GENERAL\nNational Aeronautics and\nSpace Administration\n\x0cAdditional Copies\n\nTo obtain additional copies of this report, contact the Assistant Inspector General for Auditing\nat (202) 358-1232, or visit www.hq.nasa.gov/office/oig/hq/issuedaudits.html.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Assistant Inspector General for\nAuditing. Ideas and requests can also be mailed to:\n\n         Assistant Inspector General for Auditing\n         Code W\n         NASA Headquarters\n         Washington, DC 20546-0001\n\nNASA Hotline\n\nTo report fraud, waste, abuse, or mismanagement contact the NASA Hotline at (800)\n424-9183, (800) 535-8134 (TDD), or at www.hq.nasa.gov/office/oig/hq/hotline.html#form; or\nwrite to the NASA Inspector General, P.O. Box 23089, L\xe2\x80\x99Enfant Plaza Station, Washington,\nDC 20026. The identity of each writer and caller can be kept confidential, upon request, to the\nextent permitted by law.\n\nReader Survey\n\nPlease complete the reader survey at the end of this report or at\nwww.hq.nasa.gov/office/oig/hq/audits.html.\n\n\n\n\nAcronyms\n\nASIS               American Society for Industrial Security\nGAO                General Accounting Office\nGPRA               Government Performance and Results Act\nIT                 Information Technology\nNPD                NASA Policy Directive\nNPG                NASA Procedures and Guidelines\nOMB                Office of Management and Budget\nPCIE               President\'s Council on Integrity and Efficiency\n\x0cW                                                                                             March 30, 2001\n\n\nTO:              A/Administrator\n\nFROM:            W/Inspector General\n\nSUBJECT: INFORMATION: Information Technology Security Planning\n          Report Number IG-01-022\n\n\nThe NASA Office of Inspector General has completed an audit of System Information\nTechnology Security Planning. We found that NASA has established adequate processes to\nensure information technology (IT) security is considered as a part of the Agency\'s strategic\ninformation resource program planning. NASA has established many new IT security policies in\nresponse to the General Accounting Office (GAO) report number GAO/AIMD-99-47,\n"Information Security, Many NASA Mission-Critical Systems Face Serious Risks," May\n1999,1 and NASA\'s internal "Information Technology Security Program Review," August\n1998.2 The new policies are adequate, but substantial work remains to fully implement them.\nHowever, the limited metrics in the fiscal year 2001 performance plan do not provide an\nadequate assessment of NASA\'s IT security program. [Withheld per FOIA exemptions 2 & 5,\n5 U.S.C. \xc2\xa7552 (b)(2) & (5).\n\n\n\n\n                                                                                               ]\n\n\n\n\n1\n    See Appendix B a summary of the GAO report and Appendix C for the open recommendations.\n2\n    See Appendix C for a summary of the NASA internal IT security review.\n\x0c                                                                                                                     2\n\nBackground\n\nOn October 30, 2000, the President signed into law the fiscal year 2001 Defense Authorization\nAct (Public Law 106-398) including Title X, subtitle G, "Government Information Security\nReform" (The Security Act). The Security Act provides a comprehensive framework for\nestablishing and ensuring the effectiveness of controls over information resources that support\nFederal operations and assets and a mechanism for improved oversight of Federal agency\ninformation security programs. The Government Performance and Results Act of 1993\n(GPRA) requires Federal agencies to set goals, targets,3 and indicators to gauge performance\nand report annually to the Congress on agency success in meeting those goals. One of NASA\'s\ntargets for fiscal year 2001 is to enhance IT security through a reduction of system vulnerabilities\nat all NASA Centers. [Withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).\n                                 ]\n\nRecommendations\n\nWe recommended that the NASA Chief Information Officer include a description of the time\nand resources necessary to implement the Agency\'s information security program in NASA\'s\nannual performance plans and develop additional GPRA IT security metrics. These actions will\nprovide the Congress with the information required by the Security Act and improve NASA\'s\nability to measure the performance of its IT security program. We also recommended that\nNASA select vulnerabilities that ensure the data for the current IT systems vulnerability\nperformance indicator accurately reflects the Agency\'s IT security risk. Increasing the number\nof vulnerabilities tested by selecting more recently discovered vulnerabilities will better measure\nthe risk to NASA\'s IT systems. Finally, we recommended that NASA describe the extent of IT\nsecurity vulnerability testing in the annual GPRA report. This explanation will enable the\nCongress to better understand the metric currently used to measure reductions in IT system\nvulnerability.\n\nManagement\'s Response\n\nNASA concurred with three of the recommendations and partially concurred with the\nrecommendation to select vulnerabilities that ensure the data for the current IT systems\nvulnerability performance indicator accurately reflects NASA\'s IT security risk. NASA did not\nfully concur due primarily to concerns about the amount of additional testing for vulnerabilities\nthat might be required. Nonetheless, NASA has already changed the metric and requested that\nthe Centers scan for an updated list of vulnerabilities and is planning to update the metric\n\n\n3\n Target is the term NASA uses in the Performance Plan for those measures or metrics that the Agency established to\naccomplish (and measure) the individual goals and objectives.\n\x0c                                                                                               3\n\nperiodically. In addition, the Chief Information Officer has agreed to work collaboratively with\nmy office on the amount of testing required.\n\nDetails on the status of the recommendations are in the finding section of the report.\n\n\n[original signed by]\nRoberta L. Gross\n\n\n\n\nEnclosure\n\nFinal Report on Audit of Information Technology\n Security Planning\n\x0c              FINAL REPORT\nINFORMATION TECHNOLOGY SECURITY PLANNING\n\x0cW                                                                       March 30, 2001\n\n\nTO:             AO/Chief Information Officer\n\nFROM:           Assistant Inspector General for Auditing\n\nSUBJECT:        Final Report on the Audit of Information Technology Security Planning\n                Assignment Number A0003701\n                Report Number IG-01-022\n\n\nThe subject final report is provided for your information and use. Please refer to the Executive\nSummary for the overall audit results. Our evaluation of your responses has been incorporated\ninto the body of the report. The recommendations will remain open for reporting purposes until\ncorrective action is completed. Please notify us when action has been completed on the\nrecommendations, including the extent of testing performed to ensure corrective actions are\neffective.\n\nIf you have questions concerning the report please contact Mr. Gregory B. Melson, Program\nDirector, Information Assurance Audits, at (202) 358-2588; Mr. Ernest L. Willard, Program\nManager, Information Assurance Audits; at (650) 604-2676, or Mr James W. Geith, Auditor-\nin-Charge, at (301) 286-7943. We appreciate the courtesies extended to the audit staff. The\nfinal report distribution is in Appendix G.\n\n\n[original signed by]\nRussell A. Rau\n\x0c                                                2\n\nEnclosure\n\ncc:\nB/Acting Chief Financial Officer\nB/Comptroller\nBF/Director, Financial Management Division\nG/General Counsel\nJM/Director, Management Assessment Division\nKSC/AA/Director, John F. Kennedy Space Center\n\x0cContents\n\nExecutive Summary, i\n\nIntroduction, 1\n\nFinding and Recommendations , 2\n\n     Finding. NASA\'s Information System Vulnerability Metric, 2\n\nAppendix A - Objectives, Scope, and Methodology, 11\n\nAppendix B - Summary of Prior Audit Coverage, 13\n\nAppendix C - Information Technology Security Recommendations, 16\n\nAppendix D - Other Matters of Interest, 19\n\nAppendix E - Common Threats, 22\n\nAppendix F - Management\'s Response, 27\n\nAppendix G - Report Distribution, 30\n\x0c                              NASA Office of Inspector General\n\nIG-01-022                                                                                     March 30, 2001\n A0003701\n                       Information Technology Security Planning\n\n                                          Executive Summary\n\nBackground. Successful accomplishment of NASA\'s mission depends heavily on automated\ninformation resources. As technology evolves, these resources face increasing vulnerability to\nexternal and internal attacks. The single most important factor in prompting the establishment of\nan effective IT security program is a general recognition and understanding among the\norganization\'s most senior executives of the enormous risks to business operations associated\nwith relying on automated and highly interconnected systems.\n\nObjectives. The overall audit objective was to determine whether NASA had established and\nimplemented effective policies and procedures for IT security planning in accordance with\nOffice of Management and Budget (OMB) Circular A-130, "Management of Federal\nInformation Resources," dated February 8, 1996. Specifically, we determined whether the\nAgency:\n\n\xe2\x80\xa2   established effective IT security planning processes as an integral part of its strategic\n    information resources management program and\n\n\xe2\x80\xa2   developed adequate IT system vulnerability metrics for reporting under GPRA.\n\nThe originally announced audit objectives included determining whether NASA had established\nand implemented effective security plans for general-support systems,4 major applications,5 and\npublicly accessible Web sites.6 We covered this objective in audit report number IG-00-055,\n"System Information Technology Security Planning," dated September 28, 2000, which is\nsummarized in Appendix B.\n\nWe also reviewed management actions on the recommendations from NASA\'s internal\n"Information Technology Security Program Review," August 1998 and GAO report\n\n\n4\n  OMB Circular A-130 defines a general-support system as "an interconnected set of information resources under the\nsame direct management control, which shares common functionality. A system normally includes hardware, software,\ninformation, data, applications, communications, and people."\n5\n  OMB Circular A-130 defines a major application as "an application that requires special attention to security due to\nthe risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the\ninformation in the application."\n6\n  A publicly accessible Web site is one designed to be viewed by the general public. These Web sites are advertised to\nthe public, such as www.nasa.gov, or contain links to other NASA public Web sites.\n\x0cnumber GAO/AIMD-99-47, "Information Security, Many NASA Mission-Critical Systems\nFace Serious Risks," May 1999. Details on our objectives, scope, and methodology are in\nAppendix A.\n\nResults of Audit. NASA has established adequate processes to ensure IT security is\nconsidered as a part of the Agency\'s strategic information resource program planning. NASA\nhas completed corrective actions for 7 of the 11 recommendations from NASA\'s 1998 internal\nIT security review and 8 of the 9 recommendations from the GAO report that affect IT security\nplanning. Many of these recommendations relate to implementing new policies as shown in\nAppendix C. Overall, the new policies that NASA established are adequate, but substantial\nwork remains to fully implement them.\n\nHowever, NASA\'s current policies for scanning its computer systems for a limited number of\nvulnerabilities do not result in an adequate assessment of the Agency\'s IT system vulnerabilities.\nSpecifically, the limited metrics in the fiscal year 2001 performance plan do not provide an\nadequate assessment of NASA\'s IT security program. As a result, the IT security risks and\nmetrics that NASA reports to the Congress may understate NASA\'s IT vulnerabilities and\nprovide undue assurance on the integrity, availability, and confidentially of information.\n\nOther Matters of Interest. [Withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) &\n(5). 7\n\n8\n\n\n\n\n                                                                                                                      ]\n(Appendix D).\n\nRecommendations. We recommend that the NASA Chief Information Officer (1) include a\ndescription of the time and resources necessary to implement the Agency\'s information security\nprogram in the Agency annual performance plans, (2) develop additional GPRA IT security\nmetrics, (3) select vulnerabilities that more accurately reflect NASA\'s IT security risk, and (4)\ndescribe the extent of IT security vulnerability testing in the GPRA report.\n\n\n\n\n7\n  The seven Centers that had designated their financial management systems as "special management attention" systems\nwere Ames Research Center, Goddard Space Flight Center, John H. Glenn Research Center at Lewis Field, Lyndon B.\nJohnson Space Center, the Jet Propulsion Laboratory, Langley Research Center, and George C. Marshall Space Flight\nCenter.\n8\n  "Special management attention" is a NASA term applied to information systems that require increased oversight due\nto the risk and magnitude of harm that would result from the loss, misuse, unauthorized access to or modification of the\ndata in the system.\n\n\n                                                           ii\n\x0cManagement\'s Response. Management concurred with all but one recommendation.\nManagement partially concurred with the recommendation to select vulnerabilities that more\naccurately reflect NASA\'s IT security risk. However, NASA has already changed the metric\nand has asked the Centers to scan for an updated list of vulnerabilities. Further, the Chief\nInformation Officer will coordinate with the Inspector General\'s Office on the amount of testing\nfor vulnerabilities.\n\nEvaluation of Management\'s Response. Management\'s proposed actions are responsive to\nthe recommendations. The recommendations are resolved but will remain undispositioned and\nopen until agreed-to corrective actions are completed.\n\n\n\n\n                                               iii\n\x0cIntroduction\n\nNASA Policy Directive 1000.1a, "NASA Strategic Plan 2000," defines the vision, mission, and\nfundamental questions of science and research that provide the foundation of the Agency\xe2\x80\x99s\ngoals. The Strategic Plan describes the five Strategic Enterprises that manage the programs and\nactivities to implement NASA\'s mission, answer the fundamental questions, and provide service\nto identified customers. The Strategic Enterprises are: Space Science, Earth Science, Biological\nand Physical Research, Human Exploration and Development of Space, and Aerospace\nTechnology. The Strategic Plan also defines the Crosscutting Processes that support the\nStrategic Enterprises. The Crosscutting Processes are Manage Strategically, Provide\nAerospace Products and Capabilities, Generate Knowledge, and Communicate Knowledge.\nOne of the objectives of Manage Strategically is to "Enhance the security, efficiency, and\nsupport provided by our information technology resources."\n\nTo achieve security in computing, NASA Procedures and Guidelines (NPG) 2810.1, "Security\nof Information Technology," dated August 26, 1999, requires that NASA maintain the following\nthree components of IT resources:\n\n               a.   Integrity--The ability to ensure that information, the applications\n                    processing that information, the information technology systems used to\n                    run that information, and the hardware configuration, connectivity, and the\n                    status of privilege settings cannot be altered during processing, storage or\n                    transmission.\n\n               b.   Availability--The ability to ensure that data, applications, and systems are\n                    accessible when and where needed.\n\n               c.   Confidentiality--The ability to ensure that information is disclosed only to\n                    those who have a valid need to possess it.\n\x0cFinding and Recommendations\n\nFinding. N A S A \' s I n f o r m a t i o n S y s t e m V u l n e r a b i l i t y M e t r i c\n\nNASA\'s annual performance plan limits discussion of IT security programs to one performance\ntarget. In addition, NASA\'s current practices for computer system vulnerability scanning do not\nresult in an accurate assessment of NASA\'s IT system vulnerabilities. [Withheld per FOIA\nexemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).\n\n\n\n\n                                    ]\n\nGovernment Performance and Results Act\n\n\nCongress enacted the GPRA to improve the efficiency of all Federal agencies. GPRA\'s specific\ngoals are to:\n\n    \xe2\x80\xa2    Improve Federal program management, effectiveness, and public accountability.\n\n    \xe2\x80\xa2    Improve congressional decision making on where to commit the Nation\xe2\x80\x99s financial and\n         human resources.\n\n    \xe2\x80\xa2    Improve citizen confidence in Government performance.\n\nThe GPRA directed Executive Branch agencies to develop a customer-focused strategic plan\nthat aligns activities with concrete missions and goals. GPRA directed agencies to manage and\nmeasure results to justify congressional appropriations and authorizations. Federal agencies are\nrequired to prepare and submit an annual Performance Plan to the Director of the Office of\nManagement and Budget and the Congress. The plan should establish objective and\nmeasurable performance goals, establish performance indicators to be used in measuring\nrelevant outputs or other results, provide a basis for comparing actual results with the\nestablished goals, and describe the means to be used to verify and validate measured values.\nSix months after the end of each fiscal year, agencies report on the degree of success in\nachieving the goals and evaluation measures defined in the strategic and performance plans.\n\nGovernment Information Security Reform\n\nThe Security Act codifies the existing requirements of OMB Circular A-130, Appendix III,\n"Security of Federal Automated Information Resources," and requires agencies to:\n\n\xe2\x80\xa2   incorporate security into the life cycle of agency information systems,\n\n\n                                                      2\n\x0c\xe2\x80\xa2    develop an agencywide information security program, and\n\n\xe2\x80\xa2    conduct annual reviews of their information security programs and report the results to\n     OMB for consolidation into a report to the Congress.\n\nThe Security Act also requires each agency\'s Chief Information Officer to include a description\nof the time periods and resources that are necessary to implement the information security\nprogram in the annual performance plan required by GPRA.\n\nNASA\'s Fiscal Year 2001 Performance Plan\n\n\nThe NASA 2001 Performance Plan does not contain a description of the time periods\nand resources that are necessary to implement the information security program as\nrequired by the Security Act because NASA issued the plan before the Security Act\nbecame law. Nevertheless, such information provides basic parameters contemplated\nunder GPRA9 and thus should be reported in the Performance Plan.\n\nNASA\'s coverage of its IT security program in the fiscal year 2001 Performance Plan is limited\nto a target to improve IT infrastructure and enhance IT security as follows:\n\n                    Target: Improve IT infrastructure service delivery to provide increased\n                    capability and efficiency while maintaining a customer rating of \xe2\x80\x9csatisfactory,\xe2\x80\x9d\n                    and enhance IT security through a reduction of system vulnerabilities\n                    across all NASA centers, [emphasis added] emphasizing IT security\n                    awareness training for all NASA personnel.10\n\n\nTo measure the reduction of system vulnerabilities, NASA chose a performance indicator that\nuses the results of IT system vulnerability scans. However, this indicator measures NASA\'s\nvulnerabilities to only a limited number of threats. The indicator does not provide a complete\npicture of NASA\'s IT security programs.\n\nSystem Vulnerabilities\n\nThe National Institute of Standards and Technology issued a handbook, "An Introduction to\nComputer Security," Special Publication 800-12, to provide guidance to computer security\npersonnel.11 The handbook states:\n\n\n9\n   OMB requires an agency to briefly describe the operational processes, skills, and technology and the human, capital,\ninformation, or other resources required to meet the performance goals.\n10\n   NASA Inspector General Report G-00-019, "Assessment of Information Technology Security Training and\nDevelopment and Other Human Resource Considerations, " February 6, 2001, discusses a review of NASA\'s IT\nsecurity awareness and training metrics.\n11\n    In the Computer Security Act of 1987, the Congress assigned the responsibility to prepare standards and guidelines\nfor the security of sensitive Federal systems to the National Institute of Standards and Technology.\n\n\n                                                           3\n\x0c                    Computer systems are vulnerable to many threats that can inflict various types\n                    of damage resulting in significant losses. This damage can range from errors\n                    harming database integrity to fires destroying entire computer centers. Losses\n                    can stem, for example, from the actions of supposedly trusted employees\n                    defrauding a system, from outside hackers, or from careless data entry clerks.\n                    Precision in estimating computer security-related losses is not possible because\n                    many losses are never discovered, and others are "swept under the carpet" to\n                    avoid unfavorable publicity. The effects of various threats vary considerably:\n                    some affect the confidentiality or integrity of data while others affect the\n                    availability of a system. . . .\n\n                    To control the risks of operating an information system, managers and users\n                    need to know the vulnerabilities of the system and the threats that may exploit\n                    them. Knowledge of the threat environment allows the system manager to\n                    implement the most cost-effective security measures. In some cases, managers\n                    may find it more cost-effective to simply tolerate the expected losses. Such\n                    decisions should be based on the results of a risk analysis.\n\nCommon threats include:\n\n     \xe2\x80\xa2    errors and omissions by data entry clerks and system users;\n\n     \xe2\x80\xa2    computer fraud and theft by insiders or outsiders;\n\n     \xe2\x80\xa2    employee sabotage;\n\n     \xe2\x80\xa2    loss of physical and infrastructure support;\n\n     \xe2\x80\xa2    hackers;\n\n     \xe2\x80\xa2    industrial, economic, and foreign government espionage;\n\n     \xe2\x80\xa2    malicious code such as viruses, worms,12 and Trojan horses;13 and\n\n     \xe2\x80\xa2    threats to personal privacy.\n\nSee Appendix E for an extract of the handbook\'s Chapter 4, "Common Threats: A Brief\nOverview."\n\n\n\n\n12\n  A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs.\n13\n  A Trojan horse is a destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do\nnot replicate themselves.\n\n\n                                                            4\n\x0cNASA\'s Quarterly Vulnerability Scans\n\nTo demonstrate that NASA is enhancing IT security through the reduction of system\nvulnerabilities, NASA is scanning its computer systems14 quarterly [Withheld per FOIA\nexemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).] and collecting the data for its FY 2001\nPerformance Report, which is due March 31, 2002. Each NASA Center performs the\nquarterly scans and reports the data to the Principal Center for IT Security at Ames Research\nCenter (Ames). The Principal Center for IT Security accumulates the data and presents it to the\nCongress in an annual performance report.\n\nNASA managers use the scanning results to make improvements to their IT systems. After the\nCenter performs the quarterly scans, NASA managers take actions to correct the vulnerabilities.\nSubsequently, the managers can ask for a rescan of their IT systems to determine whether they\nwere successful in fixing the problem. This ongoing process results in a continual improvement\nof the security of the IT systems, particularly for the [Withheld per FOIA exemptions 2 & 5, 5\nU.S.C. \xc2\xa7552 (b)(2) & (5).]\n\nScanning Software Limitations\n\n\nNASA does not use scanning software to detect many types of vulnerabilities. NASA\'s\nPrincipal Center for IT Security, in conjunction with the Centers Chief Information Officers,\ndecided to use the a software package 15 that NASA owned when it started to scan computer\nsystems. The [Withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).] software\nperforms scheduled or event-driven probes of network communication services, operating\nsystems, routers, e-mail and Web servers, firewalls, and applications, thereby identifying system\nweaknesses that could be exploited by intruders to gain access to the network. Hackers and\npersons conducting industrial, economic, and foreign government espionage often exploit these\nvulnerabilities. [Withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).\n]\n\n[Paragraph withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).\n\n16\n\n\n\n\n14\n     [Withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).\n\n\n\n\n                    ]\n15\n   [Withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).\n                      ]\n16\n   UNIX is an immensely powerful and complex operating system that provides multitasking and multiuser capabilities\non a single computer.\n\n\n                                                          5\n\x0c    ]\n\n\n\n\n6\n\x0cNASA Uses Only Part of the [Withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2)\n& (5).] Software Capabilities\n\nNASA\'s Information Technology Security Manager, in conjunction with the Center Chief\nInformation Officers, decided to use an [Withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552\n(b)(2) & (5).] software package 17 as a tool for gathering metric information for GPRA\nreporting. [Withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).\n18\n       ] The Agency established the baseline because of concern that too much time would be\nexpended checking for nonexistent problems as a result of vulnerability tests that report the\nexistence of a vulnerability when none exists. [Withheld per FOIA exemptions 2 & 5, 5 U.S.C.\n\xc2\xa7552 (b)(2) & (5).\n                                                                                              .19]\n\nHowever, the [Withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).] software\nprovides more capability than NASA utilizes. As of November 30, 2000, the [Withheld per\nFOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).] software database contained tests for\n802 vulnerabilities, and the capability to write custom code to scan for vulnerabilities that the\nsoftware does not address in its current database. Further, [Withheld per FOIA exemptions 2\n& 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).] has grouped its 802 vulnerabilities into 38 categories that\nrepresent various types of vulnerabilities. [Withheld per FOIA exemptions 2 & 5, 5 U.S.C.\n\xc2\xa7552 (b)(2) & (5).                         ]\n\nNew Vulnerabilities Are Discovered Daily\n\nHackers constantly find new ways to exploit systems. Therefore, [Withheld per FOIA\nexemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).] continually updates its database to include\nadditional vulnerability checks for newly identified exploits of networks and data. For example,\nfrom August 2000 through December 2000, [Withheld per FOIA exemptions 2 & 5, 5 U.S.C.\n\xc2\xa7552 (b)(2) & (5).] issued 5 updates to its software that added 75 additional vulnerability\nchecks. [Withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).] considers 40 of\nthose 75 new vulnerabilities to be high risk. [Withheld per FOIA exemptions 2 & 5, 5 U.S.C.\n\xc2\xa7552 (b)(2) & (5).                       ]\n\nAnnual Security Act Reviews\n\nThe Security Act requires that Agency program officials, in consultation with the Chief\nInformation Officer, review each Agencywide information security program at least annually.\n\n17\n   [Withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).                             ]\n18\n   In addition to the quarterly scans for the annual performance report, each Center may scan for any vulnerabilities it\nchooses for its internal purposes; some Centers are doing this.\n19\n   At the time we performed the field work on vulnerability scanning (August to November 2000), NASA was still\ndeveloping its scanning procedures and learning how to use the software. We did not test the scanning data after NASA\nrevised its procedures.\n\n\n                                                           7\n\x0cThe annual review should include reviews of all programs included in the Agencywide program.\nTo promote consistent reviews across the Government, the Chief Information Officer Council\nhad the National Institute of Standards and Technology prepare the "Federal Information\nTechnology Security Assessment Framework," dated November 28, 2000. Agencies can use\nthe Framework coupled with the National Institute of Standards and Technology Self-\nAssessment Questionnaire20 to assess the status of security controls for individual systems (that\nis, general-support systems, major applications, mission-critical systems) or a logically related\ngroup of systems that support operational programs.\n\nConclusion\n\nNASA will report data to the Congress that could understate NASA\'s actual vulnerability to\nmisuse, theft, or destruction of Government IT resources and provide undue assurance on the\neffectiveness of NASA\'s IT security program. We believe that the Congress\' intent for GPRA\nand the annual performance reporting requirement is that the annual reports adequately and\naccurately state the results of any metrics used to measure performance against established\ntargets and goals in the annual performance plans. Therefore, NASA should revise the current\nmetric to reflect a more appropriate scan of significant and current vulnerability checks and\nmake clear to the Congress that a specific, limited set of vulnerabilities are being reported.\nNASA should also indicate to the Congress how the Agency determined the appropriateness of\nthe metrics. NASA should add information to the annual performance plan to show the time\nand resources required to implement its Agencywide IT security program.\n\nThe Security Act requirement to include information on the Agency\'s information security\nprogram in the annual performance plan and the requirement to submit an annual evaluation on\nthe Agency\'s information security program indicate that the Congress wants comprehensive\ninformation on the Agency\'s IT security program. Therefore, NASA should expand coverage\nof the Agency\'s information security program in the annual performance plan.\n\nRecommendations, Management\'s Response, and Evaluation of\nResponse\n\nThe NASA Chief Information Officer should:\n\n1. Include in the Agency annual performance plans a description of the time and\n    resources that are necessary to implement the Agency\'s information security\n    program as contemplated by GPRA and as required by the Government\n    Information Security Reform, starting with the fiscal year 2003 plan. Also include\n    in the annual performance plan the metrics for measuring the implementation of the\n    Agency\'s information security program.\n\n20\n The National Institute of Standards and Technology will issue the Self-Assessment Questionnaire in 2001 as a\nNational Institute of Standards and Technology Special Publication.\n\n\n                                                         8\n\x0cManagement\'s Response. Concur. The Chief Information Officer already has a requirement\nin the IT portion of the NASA FY 2003 Program Operating Plan Call for Centers to identify\nthe resources needed to implement the Agency\'s IT Security Program. The Chief Information\nOfficer will seek to modify the FY 2003 annual performance plan to include the schedule and\nrequirements mandated by the Government Information Security Reform Act. The Chief\nInformation Officer will include metrics for implementation of the IT security plan and will\nbaseline those requirements in FY 2002. The complete text of management\'s response is in\nAppendix F.\n\nEvaluation of Management\'s Response. Management\'s proposed actions are responsive to\nthe recommendation. The recommendation is resolved but will remain undispositioned and\nopen until agreed-to corrective actions are completed.\n\n2. Develop additional GPRA IT security metrics to cover the requirements of OMB\n   Circular A-130, Appendix III.\n\nManagement\'s Response. Concur. NASA already gathers metrics on the four requirements\nof OMB Circular A-130, Appendix III, which address assigned responsibility, security plans,\nauthorization to process, and periodic review. The Chief Information Officer will seek to add\nan additional IT Security GPRA metric, beginning in 2003, that will track the review of security\ncontrols for "special management attention"21 systems (see Appendix F).\n\nEvaluation of Management\'s Response. Management\'s proposed actions are responsive to\nthe recommendation. The recommendation is resolved but will remain undispositioned and\nopen until agreed-to corrective actions are completed.\n\n3. Select vulnerabilities that ensure the data for the current IT systems vulnerability\n    performance indicator accurately reflects NASA\'s IT security risk.\n\nManagement\'s Response. Partially concur. NASA agrees with our intent that the Chief\nInformation Officer modify the metric to better reflect current vulnerabilities. When the metric\nwas established in 1999, scanning tools were less mature than they are today. With the benefit\nof experience, NASA has already requested that the Centers change the metric to scan for an\nupdated list of vulnerabilities and is planning to update the metric periodically. NASA is\nconcerned about our use of the word "ensure." Exhaustive testing for every vulnerability is not\ncost-effective and yields false positives. It is not currently possible to "ensure" that the\nperformance indicator accurately reflects NASA\'s IT security risk. NASA believes that the\ncurrent vulnerability testing reflects a balance of effectiveness and cost; however, the Chief\nInformation Officer will work collaboratively with the Inspector General\'s office to retain proper\nbalance between effective and exhaustive vulnerability testing (see Appendix F).\n\n21\n     See footnote 8.\n\n\n                                                9\n\x0cEvaluation of Management\'s Response. Management\'s proposed actions are responsive to\nthe intent of the recommendation. We did not intend to imply that exhaustive testing for every\npossible vulnerability was necessary. We were concerned that the list of vulnerabilities had\nbecome outdated and should be revised to include new vulnerabilities that hackers are using to\nattack NASA computer systems. The recommendation is resolved but will remain\nundispositioned and open until agreed-to corrective actions are completed.\n\n4. Describe the extent of vulnerability testing used to calculate the IT security metric\n   in NASA\'s annual performance report to Congress.\n\nManagement\'s Response. Concur. The FY 2002 Performance Plan has been modified to\nmore clearly state that only a specified set of vulnerabilities is included in the metric and that the\nscanned vulnerabilities may change from quarter to quarter (see Appendix F).\n\nEvaluation of Management\'s Response. Management\'s proposed actions are responsive to\nthe intent of the recommendation. The recommendation is resolved but will remain\nundispositioned and open until we are able to review the FY 2002 Performance Plan and the\nFY 2001 report to Congress.\n\n\n\n\n                                                  10\n\x0c                 Appendix A. Objectives, Scope, and Methodology\n\nObjectives\n\nThe overall objective was to determine whether NASA has established and implemented\neffective policies and procedures for information technology (IT) security planning in\naccordance with Office of Management and Budget (OMB) Circular A-130. 22 Specifically,\nwe determined whether the Agency has:\n\n\xe2\x80\xa2    established effective IT security planning processes as an integral part of its strategic\n     information resources management program and\n\n\xe2\x80\xa2    developed adequate IT system vulnerability metrics for reporting under the Government\n     Performance and Results Act (GPRA).\n\nThe originally announced audit objectives included determining whether NASA had established\nand implemented effective security plans for general-support systems, major applications, and\npublicly accessible Web sites. We covered this objective in audit report number IG-00-055,\n"System Information Technology Security Planning,\xe2\x80\x9d September 28, 2000. The report is\nsummarized in Appendix B.\n\nWe also reviewed the actions NASA management has taken on the recommendations from\nNASA\'s internal "Information Technology Security Program Review," and the General\nAccounting Office (GAO) report number GAO/AIMD-99-47, "Information Security, Many\nNASA Mission-Critical Systems Face Serious Risks." A summary of NASA\'s internal review\nis in Appendix C. A summary of the GAO report is in Appendix B.\n\nScope and Methodology\n\nWe performed work at NASA Headquarters, Ames Research Center (Ames), Goddard Space\nFlight Center (Goddard), John H. Glenn Research Center at Lewis Field (Glenn), Lyndon B.\nJohnson Space Center (Johnson), John F. Kennedy Space Center (Kennedy), the Jet\nPropulsion Laboratory (JPL), Langley Research Center (Langley), and George C. Marshall\nSpace Flight Center (Marshall). We reviewed NASA and Center directives, documents, plans,\nand reports related to the implementation of Federal laws and regulations and NASA policies\non IT security, information resource management, strategic planning, and measuring\nperformance. We interviewed NASA and contractor\n\n\n22\n  The audit announcement stated that we would determine whether the Agency has implemented an adequate strategic\ninformation resources management plan that incorporates the system security plans for general-support systems and\nmajor applications. We cancelled this objective because the underlying requirement has been deleted by the Information\nTechnology Reform Act of 1996.\n\n\n\n                                                         11\n\x0c                                                                                    Appendix A\n\npersonnel on IT security planning. We also reviewed the management actions taken in response\nto the GAO report on NASA\'s IT security and NASA\'s internal IT security review.\n\nWe also interviewed NASA and contractor personnel on the development of the GPRA metric\nfor reducing IT system vulnerabilities across all NASA Centers. We examined the capability of\nthe quarterly scans to identify different types of vulnerabilities. We reviewed a sample of the\nquarterly IT system scan results at Johnson, Marshall, and Goddard by testing the procedures\nthat NASA has developed for collecting information that the Agency will use to report whether\nit has met its goal of reducing IT system vulnerabilities.\n\nManagement Controls Reviewed\n\nWe reviewed NASA policies and procedures on strategic planning to determine whether IT\nsecurity was included in the process. We also reviewed management controls relative to the\nfiscal year 2001 Performance Plan target for reducing IT system vulnerability. We reviewed the\nprocedures for conducting the quarterly scans and reporting the results to the Principal Center\nfor IT Security for consolidation and incorporation into the annual performance report for fiscal\nyear 2001.\n\nWe determined that controls needed to be strengthened to ensure that vulnerability scanning of\nNASA\'s IT systems is appropriate as discussed in the Finding section of the report.\n\nAudit Field Work\n\nWe performed field work from August 2000 through January 2001 at NASA Headquarters,\nAmes, Goddard, Glenn, Johnson, the Jet Propulsion Laboratory, Kennedy, Langley, and\nMarshall. We performed the audit in accordance with generally accepted government auditing\nstandards.\n\n\n\n\n                                               12\n\x0c                   Appendix B. Summary of Prior Audit Coverage\n\nThe NASA Office of Inspector General and the General Accounting Office (GAO) issued\nreports relating to information technology (IT) security planning. The reports are summarized\nbelow. (See www.hq.nasa.gov/office/oig/hq/issuedaudits.html for copies of the NASA OIG\nreports.)\n\nNASA Office of Inspector General\n\n"System Information Technology Security Planning," Report Number, IG-00-055,\nSeptember 28, 2000. NASA had not adequately complied with the Computer Security Act of\n1987 and Office of Management and Budget (OMB) Circular A-130. Specifically, NASA\nmanagers did not assign sufficient priority to IT security. NASA Headquarters and the Centers\nhad no IT security plans for 17 of 38 "special management attention" systems and for 13 of 30\npublicly accessible Web site host computers in our samples. The Jet Propulsion Laboratory\nhad no IT security plans for its IT systems. In addition, there were no security plans,\ncontingency plans, or risk assessments for five elements of a major information system. Initial\nand periodic personnel screening requirements in Agency policy did not comply with OMB\nCircular A-130 requirements. Therefore, NASA\'s IT systems were at increased risk, and the\neffectiveness of NASA\'s IT security program was degraded. We recommended that:\n\n     \xe2\x80\xa2   the NASA Chief Information Officer create an inventory containing the status of IT\n         security plans and authorizations to use the systems.\n\n     \xe2\x80\xa2   the Centers and the Jet Propulsion Laboratory submit quarterly status reports to the\n         NASA Chief Information Officer until there is a current security plan and authorization\n         to process for each IT system or system element.\n\n     \xe2\x80\xa2   the Associate Administrator for Headquarters Operations, Associate Administrator for\n         Space Science, Director, John H. Glenn Research Center at Lewis Field, Director,\n         Goddard Space Flight Center, and Director, Langley Research Center report the\n         Federal noncompliance conditions to the Agency\'s Internal Control Council23 as\n         significant areas of concern.\n\n     \xe2\x80\xa2   the Director, Goddard Space Flight Center expedite the development and\n         implementation of IT security plans for one of NASA\'s major IT systems.\n\n     \xe2\x80\xa2   the NASA Chief Information Officer expand policy requirements for personnel\n         screenings to comply with OMB Circular A-130.\n\n23\n   The Internal Control Council makes recommendations to the NASA Administrator on issues for NASA\'s annual\nstatement of assurance to the President and Congress, pursuant to the Federal Managers\' Financial Integrity Act and for\nincorporation into NASA\'s annual Accountability Report.\n\n\n                                                          13\n\x0c                                                                                                  Appendix B\n\nNASA management fully concurred with 7 of the 10 recommendations and has completed\naction on 3 of them. The Centers and the Jet Propulsion Laboratory are submitting quarterly\nstatus reports on the status of their IT security plans to the NASA Chief Information Officer.\nThe Director, Glenn Research Center at Lewis Field and the Director, Goddard Space Flight\nCenter reported their respective Center\'s Federal noncompliance conditions as a significant area\nof concern.\n\nNASA management partially concurred with three recommendations that the Associate\nAdministrator for Headquarters Operations, Associate Administrator for Space Science, and\nthe Director, Langley Research Center report the Federal noncompliance conditions to the\nAgency\'s Internal Control Council as significant areas of concern. We determined NASA\nmanagement was not fully responsive to these recommendations and asked NASA management\nto reconsider its position.\n\nGeneral Accounting Office\n\n"Information Security, Many NASA Mission-Critical Systems Face Serious Risks,"\nReport Number GAO/AIMD-99-47, May 1999. NASA was not effectively and\nconsistently managing IT security throughout the agency. NASA\'s IT security program did not\ninclude key elements of a comprehensive IT security management program. Specifically, the\nGAO reported that NASA:\n\n                \xe2\x80\xa2   did not effectively assess risks or evaluate needs. One hundred thirty-five\n                    of the 155 mission-critical systems that we reviewed did not meet all of\n                    NASA\'s requirements for risk assessments.\n\n                \xe2\x80\xa2   did not effectively implement policies and controls. NASA\'s guidance did\n                    not specify what information can be posted on public World Wide Web\n                    sites nor how mission-critical systems should be protected from well-\n                    known Internet threats.\n\n                \xe2\x80\xa2   was not monitoring policy compliance or the effectiveness of controls.\n                    NASA had not conducted an agency-wide review of IT security at its 10\n                    field centers since 1991. Furthermore, the security of 60 percent of the\n                    systems that we reviewed had not been independently audited.\n\n\n                \xe2\x80\xa2   was not providing required computer security training. NASA had no\n                    structured security training curriculum.\n\n                \xe2\x80\xa2   did not centrally coordinate responses to security incidents. NASA field\n                    centers were not reporting incidents to the NASA Automated Systems\n                    Incident Response Capability.\n\n\n\n\n                                                     14\n\x0cAppendix B\n\n              NASA management is aware that its IT security program needs improvement.\n              Accordingly, in May 1998 NASA initiated a special review of its IT security\n              program. The review identified a number of shortcomings that were consistent\n              with our findings. Although NASA is planning to address these shortcomings,\n              at the time of our review, few of the special review\'s recommendations had been\n              implemented.\n\n\nNASA management concurred with all of the GAO recommendations. See Appendix C for a\nsummary of NASA\'s corrective actions.\n\n\n\n\n                                                    15\n\x0c     Appendix C. Information Technology Security Recommendations\n\nWe also reviewed the actions NASA management has taken on the recommendations from\nNASA\'s 1998 internal "Information Technology Security Program Review" and the General\nAccounting Office (GAO) report number GAO/AIMD-99-47, "Information Security, Many\nNASA Mission-Critical Systems Face Serious Risks."\n\nNASA\'s 1998 Internal Information Technology Security Program Review\n\nIn May 1998, the NASA Acting Deputy Administrator commissioned a special top-to-bottom\nreview of NASA\'s information technology (IT) security program to determine whether NASA\nhas the appropriate organization, policies, technologies, authorities, skills, training, and\nawareness to provide appropriate levels of security to assure mission performance. The review\nteam made 33 recommendations. The recommendations included changing NASA\'s\norganization and policies, ensuring IT security plans are developed and executed, establishing IT\nsecurity and risk management training programs, certifying system and network administrators,\nand improving incident response reporting. Eleven of the recommendations pertained to IT\nsecurity planning. According to NASA management, the Agency has completed corrective\naction on 7 of the 11 recommendations. Table C-1 contains the four open recommendations\nand the status of each recommendation.\n\n                                   Table C-1. Open Recommendations\n\n                Recommendation                                                       Status\nThe Chief Information Officer, Principal                        Corrective actions included issuing NASA\nCenters,24 and Expert Centers25 should review                   Policy Directive (NPD) 2810.1, "Security of\nand clarify their roles, responsibilities, and                  Information Technology," on\ncommitments for their assigned IT security                      October 1, 1998, and NASA Policy and\nmissions. The Chief Information Officer, the                    Guidelines (NPG) 2810.1 (same title as the\nappropriate Institutional Program Offices, and                  NPD). Some of the Principal Centers and\nCenter Directors should document their roles,                   Expert Centers have established\nresponsibilities, and commitments to ensure                     Memorandums of Understanding. The\nthat the Centers can accomplish their                           remaining actions are to complete two\nassignments.                                                    Memoranda of Understanding between\n                                                                Principal Centers and Expert Centers.\n                                                                Although the Memorandums of Understanding\n                                                                are not completed, management stated that the\n                                                                Expert Centers are performing their required\n                                                                tasks.\n\n24\n   The NASA Chief Information Officer established Principal Centers to lead or oversee projects and initiatives in\nspecialized IT areas.\n25\n   Expert Centers represent exceptional Agency capabilities in certain areas of science, engineering, or technology.\n\n\n                                                           16\n\x0cAppendix C\n\n                        Table C-1. Open Recommendations (Cont.)\n\n                Recommendation                                               Status\nRevise NPG 7120.5A, " NASA Program and                 The Chief Information Officer and the\nProject Management Processes and                       Associate Administrator have identified the\nRequirements," dated April 3, 1998, to include         changes that will be included in the next\nrequirements that program and project                  release of NPG 7120.5A. The Office of the\nmanagers include security planning in the basic        Chief Engineer is revising the entire NPG.\ndesign of new programs. This must include\nrisk management and assessments, security\nplans for IT systems processing classified and\nsensitive information and security for command\nand control communications. The revision\nshould include identification of classified or\nsensitive information in any form and\nawareness and training measures to be taken\nfor each program.\n\nThe Associate Administrator for Management             Changes have been made to many of the more\nSystems and Facilities and the Chief                   important directives, such as NPD 2810.1,\nInformation Officer should review all current          "Security of Information Technology"; and\nNASA directives pertaining to IT security to           NPG 1620.1, " Security Procedures and\nensure that all necessary facets of IT security        Guidelines." Other NASA directives are being\nare covered and that there are crisply defined         reviewed during the normal review cycle.\nresponsibilities in each case. These\nresponsibilities should also define and assign\nresponsibility for NASA\'s external interfaces\nwith law enforcement agencies in the case of\npreliminary criminal investigation.\n\nThe Office of the Chief Engineer should                The Chief Information Officer and the\nmodify NPG 7120.5A to incorporate a                    Associate Administrator for Security\nrequirement for security risk management               Management and Safeguards have completed\nthroughout the life cycle of every NASA                identifying the additional changes that will be\nprogram and project, that specifically                 included in the next release of NPG 7120.5A.\naddresses and documents IT security, the               The Office of the Chief Engineer is revising the\nsecurity of classified information, and the            entire NPG.\nprotection of command, control, and\ncommunications.\n\n\n\n\n                                                  17\n\x0c                                                                                 Appendix C\n\nGAO Report\n\nGAO Report Number GAO/AIMD-99-47, "Information Security, Many NASA Mission-\nCritical Systems Face Serious Risks," May 1999, contained 12 recommendations. Nine of the\nrecommendations affected IT security planning. NASA has completed action on eight of the\nnine recommendations. The remaining recommendation is to develop and issue guidance that\nspecifies what information is appropriate for posting on public World Wide Web sites and that\ndistinguishes this information from information that is sensitive and should be more closely\ncontrolled. The NASA Chief Information Officer has prepared draft guidance that the NASA\nOffice of General Counsel is reviewing.\n\n\n\n\n                                              18\n\x0c                           Appendix D. Other Matters of Interest\n\nFederal Policies on Financial Management Systems\n\nOffice of Management and Budget (OMB) Circular A-127, "Financial Management Systems,"\nrequires that financial management systems be in place to process and record financial events\neffectively and efficiently and to provide complete, timely, reliable, and consistent information for\ndecision makers and the public. This financial management information enables agencies to\ncarry out their fiduciary responsibilities; deter fraud, waste, and abuse of Federal Government\nresources; and facilitate efficient and effective delivery of programs through relating financial\nconsequences to program performance.\n\nOMB Circular A-130, " Management of Federal Information Resources," Paragraph 8.a.1.\nstates that agencies shall:\n\n                    (i) Consider the effects of their actions on the privacy rights of individuals, and\n                    ensure that appropriate legal and technical safeguards are implemented;\n\n                    (j) Record, preserve, and make accessible sufficient information to ensure the\n                    management and accountability of agency programs, and to protect the legal and\n                    financial rights of the Federal Government.\n\n\nThe Joint Financial Management Improvement Program directive, "Framework for Federal\nFinancial Management Systems," January 1995, states:\n\n                    Computer systems, databases, and communication networks are key\n                    components of the information technology infrastructure upon which financial\n                    management systems depend. Computer security is an important element of\n                    internal control; it is essential for the operations of systems and the accuracy of\n                    the financial data collected, stored, and reported.\n\n\nNASA Information Technology Security Policy\n\nNASA Procedures and Guidelines (NPG) 2810.1, "Security of Information Technology,"\nrequires that the Center Chief Information Officers, Center Information Technology (IT)\nSecurity Managers, Organization Computer Security Officials, and line managers identify any\nsystems that require "special management attention."26 Once systems are identified as requiring\n"special management attention," the NPG requires that senior NASA managers take a more\nactive role in the systems\' IT security programs.\n\n\n\n\n26\n   "Special management attention" is a NASA term applied to information systems that require increased oversight due\nto the risk and magnitude of harm that would result from the loss, misuse, unauthorized access to or modification of the\ndata in the system.\n\n\n                                                            19\n\x0c                                                                                  Appendix D\n\nThe NPG also describes some specific systems that require "special management attention."\nThese systems include:\n\n           \xe2\x80\xa2   Major Applications - Those applications that require special attention due to the\n               risk and magnitude of harm that would result from the loss, misuse, or\n               unauthorized access to or modification of the information in the application.\n\n           \xe2\x80\xa2   Major Information Systems - Systems that the NASA Chief Information Officer\n               has designated as "major information systems" for reporting in accordance with\n               OMB Circular A-11, "Preparing and Submitting Budget Estimates," July 19,\n               2000.\n\n           \xe2\x80\xa2   Mission-Critical Systems - Systems that provide Agencywide support, such as\n               wide area networks, Agencywide business functions, command and control of\n               space systems, Agencywide consolidated IT resources, or IT resources that\n               affect life support.\n\n           \xe2\x80\xa2   NASA Resource Protection Facility - IT resources critical to a facility or\n               operation designated under the NASA Resource Protection program by the\n               cognizant program office.\n\n           \xe2\x80\xa2   Center-Designated Systems - Other IT systems designated by the Center\n               Director or Center Chief Information Officer.\n\n[Paragraph withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).\n\n\n\n\n                                       ]\n\n[Paragraph withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).\n\n\n\n\n                               ]\n\n\n\n\n                                              20\n\x0cAppendix D\n\n[Paragraphs withheld per FOIA exemptions 2 & 5, 5 U.S.C. \xc2\xa7552 (b)(2) & (5).\n\n\n\n\n              ]\n\n\n\n\n                                           21\n\x0c                            Appendix E. Common Threats\n\nThe National Institute of Standards and Technology issued the handbook, "An Introduction to\nComputer Security," Special Publication 800-12, to provide guidance to computer security\npersonnel. Chapter 4 of the Handbook "Common Threats: A Brief Overview," describes some\nof the most prevalent threats:\n\n               Computer systems are vulnerable to many threats that can inflict various types\n               of damage resulting in significant losses. This damage can range from errors\n               harming database integrity to fires destroying entire computer centers. Losses\n               can stem, for example, from the actions of supposedly trusted employees\n               defrauding a system, from outside hackers, or from careless data entry clerks.\n               Precision in estimating computer security-related losses is not possible because\n               many losses are never discovered, and others are "swept under the carpet" to\n               avoid unfavorable publicity. The effects of various threats varies considerably:\n               some affect the confidentiality or integrity of data while others affect the\n               availability of a system.\n\n               This chapter presents a broad view of the risky environment in which systems\n               operate today. The threats and associated losses presented in this chapter were\n               selected based on their prevalence and significance in the current computing\n               environment and their expected growth. This list is not exhaustive, and some\n               threats may combine elements from more than one area. This overview of\n               many of today\'s common threats may prove useful to organizations studying\n               their own threat environments; however, the perspective of this chapter is very\n               broad. Thus, threats against particular systems could be quite different from\n               those discussed here.\n\n               To control the risks of operating an information system, managers and users\n               need to know the vulnerabilities of the system and the threats that may exploit\n               them. Knowledge of the threat environment allows the system manager to\n               implement the most cost-effective security measures. In some cases, managers\n               may find it more cost-effective to simply tolerate the expected losses. Such\n               decisions should be based on the results of a risk analysis. . . .\n\n               4.1 Errors and Omissions\n\n               Errors and omissions are an important threat to data and system integrity.\n               These errors are caused not only by data entry clerks processing hundreds of\n               transactions per day, but also by all types of users who create and edit data.\n               Many programs, especially those designed by users for personal computers,\n               lack quality control measures. However, even the most sophisticated\n               programs cannot\n\n\n\n\n                                                     22\n\x0cAppendix E\n\n             detect all types of input errors or omissions. A sound awareness and training\n             program can help an organization reduce the number and severity of errors and\n             omissions.\n\n             . . . Errors can occur during all phases of the systems life cycle. A long-term\n             survey of computer-related economic losses conducted by Robert Courtney, a\n             computer security consultant and former member of the Computer System\n             Security and Privacy Advisory Board, found that 65 percent of losses to\n             organizations were the result of errors and omissions. This figure was relatively\n             consistent between both private and public sector organizations.\n\n             Programming and development errors, often called "bugs," can range in severity\n             from benign to catastrophic. In a 1989 study for the House Committee on\n             Science, Space and Technology, entitled Bugs in the Program, the staff of the\n             Subcommittee on Investigations and Oversight summarized the scope and\n             severity of this problem in terms of government systems as follows:\n\n                       As expenditures grow, so do concerns about the reliability,\n                       cost and accuracy of ever-larger and more complex software\n                       systems. These concerns are heightened as computers\n                       perform more critical tasks, where mistakes can cause\n                       financial turmoil, accidents, or in extreme cases, death.\n\n             Since the study\'s publication, the software industry has changed considerably,\n             with measurable improvements in software quality. Yet software "horror\n             stories" still abound . . . .\n\n             Installation and maintenance errors are another source of security problems.\n             For example, an audit by the President\'s Council for Integrity and Efficiency\n             (PCIE) in 1988 found that every one of the ten mainframe computer sites\n             studied had installation and maintenance errors that introduced significant\n             security vulnerabilities.\n\n             4.2 Fraud and Theft\n\n             Computer systems can be exploited for both fraud and theft both by\n             "automating" traditional methods of fraud and by using new methods. For\n             example, individuals may use a computer to skim small amounts of money from\n             a large number of financial accounts, assuming that small discrepancies may not\n             be investigated. Financial systems are not the only ones at risk. Systems that\n             control access to any resource are targets (e.g., time and attendance systems,\n             inventory systems, school grading systems, and long-distance telephone\n             systems).\n\n\n\n\n                                                   23\n\x0c                                                                                     Appendix E\n\n\nComputer fraud and theft can be committed by insiders or outsiders. Insiders\n(i.e., authorized users of a system) are responsible for the majority of fraud. A\n1993 InformationWeek/Ernst and Young study found that 90 percent of Chief\nInformation Officers viewed employees "who do not need to know"\ninformation as threats. The U.S. Department of Justice\'s Computer Crime Unit\ncontends that "insiders constitute the greatest threat to computer systems." . . .\n\n4.3 Employee Sabotage\n\nEmployees are most familiar with their employer\'s computers and applications,\nincluding knowing what actions might cause the most damage, mischief, or\nsabotage. The downsizing of organizations in both the public and private\nsectors has created a group of individuals with organizational knowledge, who\nmay retain potential system access (e.g., if system accounts are not deleted in a\ntimely manner). The number of incidents of employee sabotage is believed to\nbe much smaller than the instances of theft, but the cost of such incidents can\nbe quite high. . . .\n\n4.4 Loss of Physical and Infrastructure Support\n\nThe loss of supporting infrastructure includes power failures (outages, spikes,\nand brownouts), loss of communications, water outages and leaks, sewer\nproblems, lack of transportation services, fire, flood, civil unrest, and strikes.\nThese losses include such dramatic events as the explosion at the World Trade\nCenter and the Chicago tunnel flood, as well as more common events, such as\nbroken water pipes. Many of these issues are covered in Chapter 15. A loss of\ninfrastructure often results in system downtime, sometimes in unexpected\nways. For example, employees may not be able to get to work during a winter\nstorm, although the computer system may be functional.\n\n4.5 Malicious Hackers\n\nThe term malicious hackers, sometimes called crackers, refers to those who\nbreak into computers without authorization. They can include both outsiders\nand insiders. Much of the rise of hacker activity is often attributed to increases\nin connectivity in both government and industry. One 1992 study of a\nparticular Internet site (i.e., one computer system) found that hackers\nattempted to break in at least once every other day.\n\nThe hacker threat should be considered in terms of past and potential future\ndamage. Although current losses due to hacker attacks are significantly smaller\nthan losses due to insider theft and sabotage, the hacker problem is widespread\nand serious. . . .\n\n\n\n\n                                       24\n\x0cAppendix E\n\n             4.6 Industrial Espionage\n\n             Industrial espionage is the act of gathering proprietary data from private\n             companies or the government for the purpose of aiding another company(ies).\n             Industrial espionage can be perpetrated either by companies seeking to improve\n             their competitive advantage or by governments seeking to aid their domestic\n             industries. Foreign industrial espionage carried out by a government is often\n             referred to as economic espionage. Since information is processed and stored on\n             computer systems, computer security can help protect against such threats; it\n             can do little, however, to reduce the threat of authorized employees selling that\n             information.\n\n             Industrial espionage is on the rise. A 1992 study sponsored by the American\n             Society for Industrial Security (ASIS) found that proprietary business\n             information theft had increased 260 percent since 1985. The data indicated 30\n             percent of the reported losses in 1991 and 1992 had foreign involvement. The\n             study also found that 58 percent of thefts were perpetrated by current or\n             former employees. . . .\n\n             Within the area of economic espionage, the Central Intelligence Agency has\n             stated that the main objective is obtaining information related to technology, but\n             that information on U.S. Government policy deliberations concerning foreign\n             affairs and information on commodities, interest rates, and other economic\n             factors is also a target. The Federal Bureau of Investigation concurs that\n             technology-related information is the main target, but also lists corporate\n             proprietary information, such as negotiating positions and other contracting\n             data, as a target.\n\n             4.7 Malicious Code\n\n             Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other\n             "uninvited" software. Sometimes mistakenly associated only with personal\n             computers, malicious code can attack other platforms.\n\n             A 1993 study of viruses found that while the number of known viruses is\n             increasing exponentially, the number of virus incidents is not. The study\n             concluded that viruses are becoming more prevalent, but only "gradually." . . .\n\n             4.8 Foreign Government Espionage\n\n             In some instances, threats posed by foreign government intelligence services\n             may be present. In addition to possible economic espionage, foreign intelligence\n             services may target unclassified systems to further their intelligence missions.\n             Some unclassified information that may be of interest includes travel plans of\n             senior officials, civil defense and emergency preparedness, manufacturing\n             technologies, satellite data,\n\n\n\n\n                                                    25\n\x0c                                                                                   Appendix E\n\npersonnel and payroll data, and law enforcement, investigative, and security\nfiles. Guidance should be sought from the cognizant security office regarding\nsuch threats.\n\n4.9 Threats to Personal Privacy\n\nThe accumulation of vast amounts of electronic information about individuals\nby governments, credit bureaus, and private companies, combined with the\nability of computers to monitor, process, and aggregate large amounts of\ninformation about individuals have created a threat to individual privacy. The\npossibility that all of this information and technology may be able to be linked\ntogether has arisen as a specter of the modern information age. This is often\nreferred to as "Big Brother." To guard against such intrusion, Congress has\nenacted legislation, over the years, such as the Privacy Act of 1974 and the\nComputer Matching and Privacy Protection Act of 1988, which defines the\nboundaries of the legitimate uses of personal information collected by the\ngovernment.\n\nThe threat to personal privacy arises from many sources. In several cases\nfederal and state employees have sold personal information to private\ninvestigators or other "information brokers."\n\n\n\n\n                                      26\n\x0cAppendix F. Management\'s Response\n\n\n\n\n               27\n\x0c     Appendix F\n\n\n\n\n28\n\x0cAppendix F\n\n\n\n\n             29\n\x0c                         Appendix G. Report Distribution\n\nNational Aeronautics and Space Administration (NASA) Headquarters\n\nA/Administrator\nAA/Chief of Staff\nAI/Associate Deputy Administrator\nAO/Chief Information Officer\nB/Acting Chief Financial Officer\nB/Comptroller\nBF/Director, Financial Management Division\nC/Associate Administrator for Headquarters Operations\nG/General Counsel\nJ/Associate Administrator for Management Systems\nJM/Director, Management Assessment Division\nL/Acting Associate Administrator for Legislative Affairs\nZ/Acting Associate Administrator for Policy and Plans\n\nNASA Centers\n\nDirector, Ames Research Center\n Chief Information Officer, Ames Research Center\nDirector, Dryden Flight Research Center\n Chief Information Officer, Dryden Flight Research Center\nDirector, John H. Glenn Research Center at Lewis Field\n Chief Information Officer, John H. Glenn Research Center at Lewis Field\nDirector, Goddard Space Flight Center\n Chief Information Officer, Goddard Space Flight Center\nDirector, Jet Propulsion Laboratory\n Chief Information Officer, Jet Propulsion Laboratory\nActing Director, Lyndon B. Johnson Space Center\n Chief Information Officer, Lyndon B. Johnson Space Center\nDirector, John F. Kennedy Space Center\n Chief Information Officer, John F. Kennedy Space Center\n Chief Counsel, John F. Kennedy Space Center\nDirector, Langley Research Center\n Chief Information Officer, Langley Research Center\nDirector, George C. Marshal Space Flight Center\n Chief Information Officer, George C. Marshal Space Flight Center\nActing Director, John C. Stennis Space Center\n Chief Information Officer, John C. Stennis Space Center\n\n\n\n\n                                              30\n\x0cAppendix G\n\nNon-NASA Federal Organizations and Individuals\n\nAssistant to the President for Science and Technology Policy\nDeputy Associate Director, Energy and Science Division, Office of Management and\n Budget\nBranch Chief, Science and Space Programs Branch, Energy and Science Division, Office\n of Management and Budget\nDirector, Acquisition and Sourcing Management Team, General Accounting Office\nProfessional Staff Member, Senate Subcommittee on Science, Technology, and Space\n\nChairman and Ranking Minority Member \xe2\x80\x93 Congressional Committees and\nSubcommittees\n\nSenate Committee on Appropriations\nSenate Subcommittee on VA, HUD, and Independent Agencies\nSenate Committee on Commerce, Science, and Transportation\nSenate Subcommittee on Science, Technology, and Space\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on VA, HUD, and Independent Agencies\nHouse Committee on Government Reform and Oversight\nHouse Subcommittee on Government Efficiency, Financial Management, and\n Intergovernmental Relations\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations\nHouse Subcommittee on Technology and Procurement Policy\nHouse Committee on Science\nHouse Subcommittee on Space and Aeronautics, Committee on Science\n\nCongressional Member\n\nHonorable Pete Sessions, U.S. House of Representatives\n\n\n\n\n                                             31\n\x0c                    NASA Assistant Inspector General for Auditing\n                                   Reader Survey\n\n\nThe NASA Office of Inspector General has a continuing interest in improving the usefulness of\nour reports. We wish to make our reports responsive to our customers\xe2\x80\x99 interests, consistent\nwith our statutory responsibility. Could you help us by completing our reader survey? For your\nconvenience, the questionnaire can be completed electronically through our homepage at\nhttp://www.hq.nasa.gov/office/oig/hq/audits.html or can be mailed to the Assistant Inspector\nGeneral for Auditing; NASA Headquarters, Code W, Washington, DC 20546-0001.\n\n\nReport Title: System Information Technology Security Planning\n\nReport Number:                                                   Report Date:\n\n\nCircle the appropriate rating for the following statements.\n\n                                                                 Strongl                              Strongl\n                                                                    y      Agree   Neutra   Disagre   y         N/A\n                                                                  Agree              l         e      Disagre\n                                                                                                         e\n1.   The report was clear, readable, and logically organized.       5       4        3         2         1      N/A\n2.   The report was concise and to the point.                       5       4        3         2         1      N/A\n3.   We effectively communicated the audit objectives,              5       4        3         2         1      N/A\n     scope, and methodology.\n4.   The report contained sufficient information to support         5       4        3         2         1      N/A\n     the finding(s) in a balanced and objective manner.\n\n\nOverall, how would you rate the report?\n\n      Excellent                  Fair\n      Very Good                  Poor\n      Good\n\nIf you have any additional comments or wish to elaborate on any of the above\nresponses, please write them here. Use additional paper if necessary.\n\n\n\n\n                                                            32\n\x0cHow did you use the report?\n\n\n\n\nHow could we improve our report?\n\n\n\n\nHow would you identify yourself? (Select one)\n\n      Congressional Staff                       Media\n      NASA Employee                             Public Interest\n      Private Citizen                           Other:\n      Government:             Federal:             State:         Local:\n\n\nMay we contact you about your comments?\n\nYes: ______                                   No: ______\nName: ____________________________\nTelephone: ________________________\n\n\n\n\n                                         33\n\x0cMajor Contributors to the Report\n\nGregory B. Melson, Program Director, Information Assurance Audits\n\nErnest L. Willard, Audit Program Manager\n\nJames W. Geith, Auditor-in-Charge\n\nDennis A. Clay, Auditor\n\nKathy Kirby, Auditor\n\nPatricia C. Reid, Program Assistant\n\nNancy C. Cipolla, Report Process Manager\n\x0c'